CVE Alert: CVE-2025-9610 - code-projects - Online Event Judging System

CVE-2025-9610

HIGHNo exploitation known

A vulnerability was determined in code-projects Online Event Judging System 1.0. This issue affects some unknown processing of the file /create_account.php. This manipulation of the argument fname causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Other parameters might be affected as well.

CVSS v3.1 (7.3)

Vendor

code-projects

Product

Online Event Judging System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-08-29T03:32:08.500Z

Updated

2025-08-29T03:32:08.500Z

References

https://vuldb.com/?id.321788
https://vuldb.com/?ctiid.321788
https://vuldb.com/?submit.636622
https://github.com/yihaofuweng/cve/issues/15
https://code-projects.org/

AI Summary Analysis

Risk verdict

High risk: remote SQL injection with public exploit guidance exists, exploitable without authentication; urgent attention required.

Why this matters

If weaponised, attackers can read or alter data and potentially create or compromise user accounts, undermining data integrity and system availability during events. With an advisory and public disclosure, opportunistic exploitation against internet-facing deployments is likely.

Most likely attack path

Attackers send crafted requests to the vulnerable endpoint to inject SQL via the fname parameter, benefiting from no authentication, no user interaction, and network access. The CVSS metrics indicate remote, unauthenticated access with low complexity and significant potential data impact, though scope remains within the web app’s database and may not automatically grant broader network takeover.

Who is most exposed

Web-facing deployments of the online judging system, especially in small/medium setups or shared hosting with weaker input handling and limited WAF controls, are at highest risk.

Detection ideas

SQL error messages or database traces appearing in responses or logs linked to create_account.php
Anomalous fname payloads containing quotes, UNION/SELECT, or other typical SQLi patterns
Sudden spikes or bursts in requests to create_account.php, especially from single IPs or unusual user agents
IDS/IPS or WAF alerts for SQL injection indicators
Unexpected data access following suspicious account creation attempts

Mitigation and prioritisation

Apply or deploy patch that neutralises SQL injection (parameterised queries/prepared statements) and verify fix in test env.
Refactor create_account.php to use bound parameters; implement input validation and least-privilege DB accounts.
Enable strict input sanitisation, implement Web Application Firewall rules for SQLi, and monitor logs/alerts around this endpoint.
Change-management: redeploy with regression testing; audit for any data exposure or account changes post-fix.
If KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: code-projects, CVE, cve-2025-9610, online-event-judging-system, OSINT, threatintel

CVE Alert: CVE-2025-9610 – code-projects – Online Event Judging System